#!/bin/sh

MAKENSIS="${MAKENSIS:-makensis}"
OSSLSIGNCODE="${OSSLSIGNCODE:-osslsigncode}"
ROOT="${ROOT:-tmp}"
OPENVPN_ROOT="${ROOT}/openvpn"
OPENVPN_ROOT_I686="${ROOT}/i686"
OPENVPN_ROOT_X86_64="${ROOT}/x86_64"
EASYRSA_ROOT="${ROOT}/easy-rsa"

SIGN_DIGEST=${SIGN_DIGEST:-sha256}

die() {
	local m="$1"
	echo "FATAL: ${m}" >&2
	exit 1
}

dospath() {
	local p="$1"
	echo "$p" | sed 's/\//\\/g'
}

codesign() {
	local f="$1"
	if [ -n "${DO_SIGN}" ]; then
		echo "Signing '${f}'"
		"${OSSLSIGNCODE}" \
			-h "${SIGN_DIGEST}" \
			-pkcs12 "${SIGN_PKCS12}" \
			-pass "${SIGN_PKCS12_PASS}" \
			-t "${SIGN_TIMESTAMP_URL}" \
			-in "${f}" \
			-out "${f}.tmp" \
			|| die "Cannot sign '${f}'"
		rm "${f}"
		mv "${f}.tmp" "${f}" || die "Cannot move into '${f}'"
	fi
}

layout() {
	mkdir -p "${OUTPUT_DIR}"
	rm -fr "${ROOT}"
	mkdir "${ROOT}"
	mkdir "${OPENVPN_ROOT}"

	mkdir "${OPENVPN_ROOT_I686}"
	mkdir "${OPENVPN_ROOT_X86_64}"

	tar -C "${OPENVPN_ROOT_I686}" -xf "${OPENVPN_TARBALL_I686}" || die "extract openvpn: ${OPENVPN_TARBALL_I686}"
	tar -C "${OPENVPN_ROOT_X86_64}" -xf "${OPENVPN_TARBALL_X86_64}" || die "extract openvpn: ${OPENVPN_TARBALL_X86_64}"

	if [ -n "${EASYRSA_TARBALL}" ]; then
		tar -C "${ROOT}" -xf "${EASYRSA_TARBALL}" || die "extract easy rsa"
		mv "${ROOT}"/easy-rsa-*/easy-rsa "${EASYRSA_ROOT}"
	fi
}

text() {
	find "${OPENVPN_ROOT}/share/doc"/*  -type f | xargs unix2dos || die "unix2dos"
	if [ -d "${EASYRSA_ROOT}" ]; then
		unix2dos "${EASYRSA_ROOT}/2.0"/*.cnf "${EASYRSA_ROOT}/Windows"/* || die "unix2dos"
	fi
}

sign() {
	find "${ROOT}" -name '*.dll' -or -name '*.exe' | while read f; do
		codesign "${f}"
	done || die "cannot sign"
}

main() {
	layout

	. "${OPENVPN_ROOT_I686}/version.sh" || die "cannot find openvpn version.sh"

	sign

	mkdir -p ${OPENVPN_ROOT}/share/doc/openvpn/

	cat \
		"${OPENVPN_ROOT_I686}/share/doc/openvpn/COPYING" \
		"${OPENVPN_ROOT_I686}/share/doc/openvpn/COPYRIGHT.GPL" \
		> "${OPENVPN_ROOT}/share/doc/openvpn/license.txt" || die "license.txt"
        text	
	VERSION_STRING="${OPENVPN_PACKAGE_VERSION}-I${INSTALLER_VERSION}${INSTALLER_SUFFIX}"
	OUTPUT="${OUTPUT_DIR}/openvpn-install-${VERSION_STRING}.exe"

	"${MAKENSIS}" \
		-DARCH="${ARCH}" \
		-DPACKAGE_NAME="${OPENVPN_PACKAGE_NAME}" \
		-DVERSION_STRING="${VERSION_STRING}" \
		-DSPECIAL_BUILD="${SPECIAL_BUILD}" \
		-DOPENVPN_ROOT="$(dospath "${OPENVPN_ROOT}")" \
		-DOPENVPN_ROOT_I686="$(dospath "${OPENVPN_ROOT_I686}")" \
		-DOPENVPN_ROOT_X86_64="$(dospath "${OPENVPN_ROOT_X86_64}")" \
		-DTAP_WINDOWS_INSTALLER="$(dospath "${TAP_WINDOWS_INSTALLER}")" \
		${TAP_WINDOWS_INSTALLER:+-DUSE_TAP_WINDOWS} \
		-DWINTUN_INSTALLER_X86_64="$(dospath "${WINTUN_INSTALLER_X86_64}")" \
		-DWINTUN_INSTALLER_I686="$(dospath "${WINTUN_INSTALLER_I686}")" \
		-DOPENVPNSERV2_EXECUTABLE="$(dospath "${OPENVPNSERV2_EXECUTABLE}")" \
		-DEASYRSA_ROOT="$(dospath "${EASYRSA_ROOT}")" \
		${EASYRSA_TARBALL:+-DUSE_EASYRSA} \
		-DUSE_OPENVPN_GUI \
		-DOUTPUT="${OUTPUT}" \
		build_openvpn.nsi || die "makensis"

	codesign "${OUTPUT}"
}

OUTPUT_DIR="."
INSTALLER_VERSION="000_snap"
SPECIAL_BUILD=""

while [ -n "$1" ]; do
	v="${1#*=}"
	case "$1" in
		--installer-version=*)
			INSTALLER_VERSION="${v}"
			;;
		--special-build=*)
			SPECIAL_BUILD="${v}"
			;;
		--openvpn-bin-tarball-i686=*)
			OPENVPN_TARBALL_I686="${v}"
			;;
                --openvpn-bin-tarball-x86_64=*)
                        OPENVPN_TARBALL_X86_64="${v}"
			;;
		--easy-rsa-tarball=*)
			EASYRSA_TARBALL="${v}"
			;;
		--tap-windows=*)
			TAP_WINDOWS_INSTALLER="${v}"
			;;
		--wintun-installer-x86-64=*)
			WINTUN_INSTALLER_X86_64="${v}"
			;;
		--wintun-installer-i686=*)
			WINTUN_INSTALLER_I686="${v}"
			;;
		--openvpnserv2=*)
			OPENVPNSERV2_EXECUTABLE="${v}"
			;;
		--sign)
			DO_SIGN=1
			;;
		--sign-digest=*)
			SIGN_DIGEST="${v}"
			;;
		--sign-pkcs12=*)
			SIGN_PKCS12="${v}"
			;;
		--sign-pkcs12-pass=*)
			SIGN_PKCS12_PASS="${v}"
			;;
		--sign-timestamp=*)
			SIGN_TIMESTAMP_URL="${v}"
			;;
		--output-dir=*)
			OUTPUT_DIR="${v}"
			;;
		--help|*)
			cat <<__EOF__
Usage: $0
	--installer-version=version     installer version
	--special-build=string	        special build string
	--openvpn-bin-tarball-i686=tarball	openvpn binary tarball
	--openvpn-bin-tarball-x86_64=tarball	openvpn binary tarball
	--easy-rsa-tarball=tarball	easy-rsa source tarball
	--tap-windows=installer         tap-windows installer
	--openvpnserv2=executable	openvpnserv2 executable
	--sign				do sign
	--sign-digest=digest		specify signing digest (default: sha256)
	--sign-pkcs12=pkcs12-file	signing PKCS#12 file
	--sign-pkcs12-pass=password	PKCS#12 file password
	--sign-timestamp=url            URL to be used for timestamp
	--output-dir=output		output directory
	--help				this
__EOF__
			exit 1
	esac
	shift
done

[ -n "${OPENVPN_TARBALL_I686}" ] || die "please specify openvpn binary tarball"
[ -n "${OPENVPN_TARBALL_X86_64}" ] || die "please specify openvpn binary tarball"
[ -f "${OPENVPN_TARBALL_I686}" ] || die "cannot find openvpn binary tarball '${OPENVPN_TARBALL_I686}'"
[ -f "${OPENVPN_TARBALL_X86_64}" ] || die "cannot find openvpn binary tarball '${OPENVPN_TARBALL_X86_64}'"
[ -f "${OPENVPNSERV2_EXECUTABLE}" ] || die "cannot find openvpnserv2 executable '${OPENVPNSERV2_EXECUTABLE}'"
if [ -n "${EASYRSA_TARBALL}" ]; then
	[ -f "${EASYRSA_TARBALL}" ] || die "cannot find easy-rsa tarball '${EASYRSA_TARBALL}'"
fi
if [ -n "${DO_SIGN}" ]; then
	[ -n "${SIGN_PKCS12}" ] || die "please specify PKCS#12 file"
	[ -f "${SIGN_PKCS12}" ] || die "cannot find PKCS#12 file '${SIGN_PKCS12}'"
fi
SIGN_TIMESTAMP_URL="${SIGN_TIMESTAMP_URL:-http://timestamp.verisign.com/scripts/timstamp.dll}"

main
